Decision acknowledges hospital improvements to data, record protection
The Information and Privacy Commissioner (IPC) has completed its decision regarding the 2023 criminal ransomware cyberattack which impacted health records and information systems at Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital.
We appreciate the IPC’s thorough investigation into this matter. We are specifically pleased that the IPC has acknowledged the efforts by the hospitals and TransForm Shared Service Organization to contain the breach after it occurred, as well as improvements made in our data and information protections since the time of the ransomware cyberattack.
We acknowledge that the IPC has noted concern surrounding the notification of individuals whose data was encrypted by the threat actors. In response to this incident, the hospitals issued regular news releases describing the impact on data and operations, participated in multiple press conferences, and directly notified more than 300,000 individuals of the incident.
The hospitals appreciate the IPC’s finding that the hospitals appropriately notified those whose personal health information was stolen during this ransomware attack.
The IPC’s decision concludes the IPC’s investigation – determining no formal review or orders are required.
In an information age where cybersecurity is top of mind across multiple sectors, including public and private sector entities, the hospitals are dedicated to ensuring continued adoption of best practices in an ever-changing global cybersecurity environment.
Due to ongoing litigation, the hospitals are unable to comment further.
For more information on the IPC’s findings, visit: https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/521986/index.do .
